Sub-Menu
1&1 - Webmail
1&1 - Card Details
1&1 - Address Details
1&1 - Auto-responder
Outlook Express Signatures
Outlook Signatures
Associating File Types
Remove Spyware
 
 
 
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You are here: Home > How To > Remove Spyware

Last Updated: 23-Nov-2006

Removing Spyware

What is Spyware? This umbrella term covers a huge variety of different forms of internet threats that are designed to infest your computer for several purposes. At best (!) these will be manifest in the form of annoying pop-ups urging you to enlist in on-line gambling, to sign-up for porn sites, or other types of advertising.

They can record every detail of your identity and uses this data to impersonate you when applying for bank accounts and credit cards; although these may well not affect your existing bank and credit card accounts, they will almost certainly adversely affect your credit status.

At worst, spyware can also record your exact bank and credit card details, including your passwords, and empty all your accounts: at least one of my clients has been affected in this way!

The number and, most critically, the types of spyware are increasing constantly, so there is no one tool that can either help prevent spyware; nor can they guarantee to remove all traces of all known spyware.

The essential characteristics of spyware are that they are parasitic and camouflaged. They will sometimes present themselves as "angels" offering to clean up your computer from the 948 viruses apparently resident on your computer; in fact of course, they will do the exact opposite. What's more, the knave who designed the dialogue box with "yes" and "no" buttons, will most likely have programmed both to be "yes"; and this would apply equally to the red "close" button at the top right of most dialogue boxes. In other words, the simple fact that the dialogue box popped up at all means that you have an infection that will certainly not just go away courteously if you say "no".

In some cases spyware is so difficult to remove, that attempting to do so may either fail, or even cripple Windows to the extent that it will no longer be possible to boot the computer.

There is good money to be made using spyware! Hence this form of threat is now the business model for a growing number of enterprises, especially in the USA, China and the former Eastern-Europe Soviet satellite states. However although they are based in these countries, their target markets are global.

They employ some of the best young programming brains to constantly find ways of defeating or circumventing the best-known prevention and detection software, produced by companies whose employees are equally as bright as those "on the other side". However these are hampered by the fact that they are usually in arrears: they're fire-fighting after the event.

The underlying dynamic of the effectiveness of spyware is the scale of the global internet: it is a numbers game. It costs virtually no more to scatter 1000 rogue emails (say), as to send out 10m; and if the success rate is just .01%, that means some 100 mugs have been seduced into supplying money to those polite Nigerians, or whoever. If each of them hands over just £1000, that's a cool £K100 for very little effort.

Warning: removing spyware can damage your Windows system beyond repair or recovery. It is also a time-consuming process with no certainty of complete success even when undertaken by an experienced professional. You should ensure that all your data files, including emails and email address book, are backed up externally.

The following process is offered in good faith but PC-FirstAid.com Ltd. cannot be held liable for any adverse consequences. Were the process to be handled in our clinic, (see "Virus & Spyware Disinfection Service" under Services above), we would start by making an exact copy (a "drive image") of your drive or drives, thus allowing for a way back in the event of some irrevocable failure during the process below.

Notes:

  • All links in this page are "live" so you can click in them to connect to the relevant web site.

  • The following procedure applies only to Windows XP; earlier versions of Windows are no longer supported by Microsoft and hence are unpatched. It is fair to assume therefore that no amount of removal and prevention is of any use if the basic fabric of Windows is vulnerable.

  • It has been assumed that you have a reasonable level of competence with "driving" Windows; if you have to ask for clarification about any of the steps, then you probably don't!

  • You are advised to keep a detailed log of the steps taken, as well as the results.

  • The processes below refer to a single-user computer; where relevant it will be necessary to repeat a given step for each user.

Phase 1: Manual Cleanup

  1. Start the computer in Safe Mode: shortly after it turns on, press and release the F8 key several times with about a 1 second gap between; this should produce a black-and-white text menu, but if not and the system boots straight into Windows, then repeat the process until you hit the right spot. If your system has already been set up to display a brief B/W menu with just two items every boot - which is what I do with computers that have been work-benched here - then press F8 just as that two-line menu appears.

  2. From the resulting multiple-choice menu, use the keyboard arrow keys to select the top item "Safe Mode" and press Enter.

  3. Once the computer has completed the Safe Mode boot (after displaying a caution to this effect), click on Start | Run then Right-Click on "My Computer" in the menu and select Open.

  4. Right-Click on the item designated as the "C" drive and select Properties | Disk Cleanup.

  5. After a short delay, a Disk Cleanup window will appear; in the "Files to delete" box, ensure that all items with a non-zero value on the right are ticked except "Office Setup Files" if applicable: these should not be deleted.

  6. Before clicking on OK, select the More Options tab, and click the Clean up .... button in the System Restore panel; accept the warning displayed, and proceed with OK. After the redundant Restore Points have been removed, click OK and accept the warning. Once this has completed, close the Properties window.

  7. Repeat steps 4-6 for any other hard disks in your system.

Phase 3: Shut the Door!

  1. Restart the computer normally, and click on Start | All Programs | Accessories | System Tools, then select System Restore. Create a new Restore Point and name it "Cleanup 1" (any name will do).

  2. If you don't have a firewall installed, please install one now! Besides providing protection against unilateral intrusion from other internet computers, most importantly it will stop all outbound traffic and request your permission before allowing any internet access. And before granting such permission, please be 100% certain you recognise the program that is trying to access the internet and that your firewall has blocked from so doing. By definition most spyware is fully effective only when it is capable of sending stuff back to base, and will be the first to attempt to use your internet connection to do so.

  3. You can download the free version of Zone Alarm from http://tinyurl.com/dz2lx. During the installation process you will be asked to choose between the professional and the free versions: choose the latter.

  4. The steps below require that several programs be downloaded and updated before being run; thus when Zone Alarm reports that the relevant just-installed program is trying to access the internet, it follows that you must grant permission for permanent internet access!

  5. Go to Start | Control Panel | Internet Options | Privacy | Advanced and tick in the "Override automatic cookie handling" box; then click to have First Party Cookies set to Prompt and Third Party Cookies set to Block. Do not tick the "Always allow session cookies" box.

  6. Return to the General tab and delete all Temporary Internet Files, Cookies, and History. If you've installed the recently-launched Internet Explorer 7, you will also be able to delete Form Data and Passwords.

  7. Finally go to the Advanced tab and scroll down to Security; then tick the box against "Empty Temporary Internet Files folder when browser is closed".

  8. Repeat steps 5 - 7 for each user if applicable.

Phase 4: Virus Removal

  1. Restart the computer normally, and click on Start | All Programs | Accessories | System Tools, then select System Restore. Create a new Restore Point and name it "Pre-Spyware Cleanup" (any name will do).

  2. Update your antivirus program; if any updates are downloaded as a result, then after installing them (which may require a system reboot), please repeat the manual update until the program responds that there are no further updates.

  3. Next, run a FULL system scan. If any viruses are detected, repeat the scan, and continue doing so until no further viruses are detected. Important: it is essential that you have a very recent version of your antivirus program. Simply subscribing to be allowed to download the latest virus definitions files is no longer a valid protection strategy: older versions of of even the best products (e.g. Norton Antivirus 2004 or 2005) are simply not engineered to detect the latest forms of threat.

  4. If you don't have an antivirus program, or if your version is very old, you should assume that you have been using the web completely unprotected. It is just possible that installing a recent version of a good AV program may detect and remove all viruses: you could try the excellent AVG Free from http://free.grisoft.com/doc/1.

  5. After obtaining a "virus free" position, create a new Restore Point (see 3.1 above) and name it "Cleanup 2".

  6. Then repeat steps 1.4 - 1.6 above.

Phase 5: Spyware Removal

  1. Install Spybot Search & Destroy from http://tinyurl.com/54vbt and after installation, please let the program run through its self-running initialisation process. When this has concluded, including downloading all available updates and immunising the system, you must click on the "Search & Destroy" and then the "Check for problems" buttons. If Spybot finds any problems it will offer to try to remove them: accept this offer.

  2. Some problems may be so entrenched, that Spybot will request permission to run again at boot time; i.e. to set itself up to run so early on in the boot sequence that it be able to remove spyware that once actually loaded, is proof against any attempts to remove it.

  3. You should run Spybot repeatedly until it proclaims your system clean.

  4. However no one anti-spyware program is capable of detecting and removing all forms of spyware, so you're not done yet!

  5. Install Lavasoft Ad-Aware from http://tinyurl.com/fqzso and as with Spybot, update the program and run a full system scan.

  6. You should run Ad-Aware repeatedly until it proclaims your system clean

  7. Install Windows Defender from http://tinyurl.com/47cus and update the program and run a full system scan; note that immediately after installation it will offer to self-update and run a quick scan. Let it do this, but you should then manually trigger a full scan.

  8. You should run Windows Defender repeatedly until it proclaims your system clean.

  9. Install the PC Tools Spyware Doctor free trial version: http://tinyurl.com/5p9es and as above, you should let the program update on-line and run a full system scan.

  10. You should run Spyware Doctor repeatedly until it proclaims your system clean.

  11. Uninstall Spyware Doctor; then install the free trial version of Webroot SpySweeper from http://tinyurl.com/ygzwuv and again you should let the program update on-line and run a full system scan.

  12. You should run SpySweeper repeatedly until it proclaims your system clean.

  13. Repeat the above full scans with AVG (or your own antivirus program), Spybot, Ad-Aware, Windows Defender and SpySweeper.

  14. Hopefully there will be no further detections.

  15. Create a new Restore Point and name it "post disinfection".

  16. If more than one user account has been created, you should repeat step 13 for each user.

Phase 6: Spyware Prevention - Software

  1. The free programs above should be retained; however I strongly recommend that you choose either Spyware Doctor or Spy Sweeper and purchase the full product. If you decide upon Spyware Doctor, please ensure  that you uninstall Spy Sweeper first, as it is not a good idea to have two such programs in "live" mode on one computer.

  2. Install Spyware Blaster from http://tinyurl.com/3eswk  and after it has installed and been updated, please ensure that all possible immunisations are applied. This free program applies a number of "locks" to the all-important Windows Registry that should help protect it from further infections; note that SpyBot does the same but with a different set of locks.

  3. You should force a manual update of all your internet defence programs once a week, and then run full system scans with each in the order above.

Phase 7: Spyware Prevention - Good Practice

  1. The adage "Prevention if better than cure" most certainly applies with regard to the various internet vulnerabilities.

  2. Be very careful when your firewall requests permission to allow a program that is attempting to access the internet.

  3. Do allow cookies where appropriate: secure sites, in particular, will not work unless they can download cookies. These include bank and other financial institution sites, shopping sites, and those that require some form of name and password to log-in. Most other sites have no business planting cookies on your computer and you should always try to access the site while refusing to allow cookies; you will normally find that they will let you browse anyway. However if after browsing you decide to sign up or make a purchase, then you will have to allow cookies.

  4. If you have permanently disallowed cookies from a site and subsequently wish to reverse that decision, then in Internet Explorer got to Tools | Options | Privacy | Sites; in the list of Managed Websites, scroll down until you find the site in question, with an "Always Block" setting against its name. Select the site name under the Domain column, and click on Remove (you will need to be very careful that you do not accidentally click on the Remove All button!). If you were to examine the list, you will discover a huge list of usually suspiciously-named sites pre-set to "Block", sites that you have never visited: these pre-blocked sites will have been added here automatically by one or more of the programs above, especially SpyBot and Spyware Blaster, as part of their immunisation function.

  5. Under no circumstances accept any uninvited solicitations to download free software of the type that purports to clean up your  computer, to protect it in some way, or otherwise "be your friend". It is almost always the case that these are themselves a form of spyware.

  6. Be especially cynical with regard to sites that allow you - or the younger members of your family - to download free music and movies. To begin with, this is illegal; and of greater relevance to this exercise, the "free" service is almost invariably provided at a hidden price: the ability to download some pretty dangerous stuff behind the scenes. Once the program has been validated by the user to pass through the firewall and to be "green lighted" by the other defences that you have installed, such programs then provide a "safe passage" to the rest of the spyware community.

  7. In fact you will need to educate other family members very carefully as part of good practice: the money-making community know that it is not easy to fool most adults. However their offspring usually use the same computers as their parents, and if the kids' inexperience and naïveté can be exploited, then the crooks can gain access to their parents' data that way.

  8. Sites that provide free "adult content" are especially dangerous; visit them at your peril. I make no moral judgement on this issue, just a caution that somewhere, somehow, somebody is making money after having gone to the trouble, and expense, of providing ostensibly free services.